On Mon, Oct 17, 2005 at 09:29:57AM -0400, Aaron Richton wrote:
> > If I run ldapsearch from another machine which has another version of
> > openldap that is not 2.3.11 nor 2.3.10, then it works.
>
> So this is against your 2.3.11 slapd, 2.3.11 ldapsearch -ZZ fails while
> <2.3.10 connects OK (2.3.11 server held constant)?
Correct.
> Do you have identical ldap.conf and/or .ldaprc on the 2.3.11 machines, and
> of course identical file contents referenced? Also, your logs are from
Using the machine with ldapsearch that works, if I remove "TLS_REQCERT
allow" from ~/.ldaprc or /etc/openldap/ldap.conf, then I get a
self-signed certificate error as expected.
> slapd -d -1 (which is a good debugging step), but you might want to try a
> ldapsearch -d -1 too so we can see the other side of the equation.
The same error code appears at the client side (either -11 with
start_tls or -1 with ldaps).
> The "telnet" seems to me a bad example, I'm pretty sure that will get
> "TLS: can't accept" in all situations. (Unless you know how to perform a
> TLS handshake by hand.)
telnet?
I used:
openssl s_client -connect ldapserver:636
to test ldaps:// connection and SSL was established. Obviously I didn't
do any ldap queries.
I reversed the ITS4072 patch in 2.3.11 (so that the affected files got
back to the 2.3.9 release state) and tls started working again.